Researcher refuses to help Saudi telco to spy on people

You would think that a Saudi Arabian telecom firm interested in monitoring its users’ mobile communications would not be asking a well-known pro-privacy researcher such as Moxie Marlinspike for help, but you would be wrong.

Marlinspike – the author of the GoogleSharing proxy service; creator of Convergence, an alternative to the flawed CA trust model; co-founder and CTO of Whisper Systems, which offered its free voice and text encryption software to Egyptian users during the 2011 revolution; author of the MitM tool sslstrip; and finally a former Twitter employee that was involved in writing its TLS code – described the “pitch” in a blog post.

He says that his was contacted by an agent of telecommunication company Mobily and was asked to help with a program for monitoring communication going through Mobile Twitter, Viber, Line, and WhatsApp.

“I was told that the project is being managed by Yasser D. Alruhaily, Executive Manager of the Network and Information Security Department at Mobily. The project’s requirements come from ‘the regulator’ (which I assume means the government of Saudi Arabia). The requirements are the ability to both monitor and block mobile data communication, and apparently they already have blocking setup,” he wrote.

After probing a little, he also discovered that they intend to force a CA in the jurisdiction of the UAE or Saudi Arabia to produce SSL certificates that they could use for interception, and that they were even looking into acquiring SSL vulnerabilities and exploits for them as alternatives to the original plan.

After having refused the job and having explained he did so for privacy reasons, the agent said they were trying to thwart terrorists, not spy on regular users, but Marlinspike is obviously unconvinced by the explanation.

“Really, it’s no shock that Saudi Arabia is working on this, but it is interesting to get fairly direct evidence that it’s happening. More to the point, if you’re in Saudi Arabia (or really anywhere), it might be prudent to think about avoiding insecure communication tools like WhatsApp and Viber (TextSecure and RedPhone could serve as appropriate secure replacements), because now we know for sure that they’re watching,” he added.

It took only a day for Mobily to react and say that they are investigating Marlinspike’s claim, adding that the tale of his communication with the agent “is not 100% accurate.”

I advise reading Marlinspike’s blog post in its entirety, as it makes some very good points about the change of hacker culture over time, and the need to fight it.